Date: Tue, 25 Jun 2002 20:14:06 -0400 (EDT) From: Matt Piechota <piechota@argolis.org> To: Theo de Raadt <deraadt@cvs.openbsd.org> Cc: "Jacques A. Vidrine" <nectar@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: Hogwash Message-ID: <20020625200442.B5151-100000@cithaeron.argolis.org> In-Reply-To: <200206250058.g5P0wgLJ021374@cvs.openbsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 24 Jun 2002, Theo de Raadt wrote: > > Still, we'll all be much more at ease once all the cards are on the > > table. I appreciate that you are trying to prepare users, but forgive > > me if I don't agree that witholding the details is the best approach. > > So please, humour me. Who precisely should I be telling this > information to, who isn't going to leak it, ship patches to their > customers early, etc. Since I started this (somewhat), I'll clarify what I meant: I would be nice if only a version spread were mentioned. It's implied that it's all OpenSSH before 3.3p1, but that wasn't quite clear. It talked a lot about privsep, and I was hoping that it was only a privsep problem and not affect me. Obviously, you don't want to release full details without a patch, but something along the lines of: There's a hole in OpenSSH that affects all versions. It's a remote DOS, and may cause a root hole. Use privsep if you can. I know that's almost what you said, but IMHO it's just a touch clearer, so there's no doubt what needs to be done. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625200442.B5151-100000>